Menu
I am trying to implement some restrictions on my MongoDB server:
Two databases on my server should be restricted regarding delete/drop operations - only a special user account should be allowed to do so. All the other database should be totally unrestricted (of course excluding the admin database):
I tried to model this situation using two users:
| database A & B | all the other databases |
---------------------------------------------------------
user a | read & write | read & write |
user b | read-only | read & write |
Making everybody read all databases is easy using the readAnyDatabaserole.
However modelling that user b can only read database A & B but has read & write access to all the other databases (including those databases that are created later on) gives me a headache.
How can this security model be implemented in MongoDB?
604
To restrict MongoDB access by enabling authentication In the mongoconfiguration, set auth = true and restart the mongo service.
mongoDB database : [where as in RDBMS it's a collection of related tables] Each database gets its own set of files on the file system. A single MongoDB server typically has multiple databases.
MongoDB: db.grantRolesToUser() method is used to grants an additional role and its privileges to a user. The name of the user to whom to grant roles. An array of additional roles to grant to the user. The level of write concern for the modification.
Operations like copyDatabase, repairDatabase, etc. can lock more than onne databases involved. How can concurrency affect replica sets primary? In replication, when MongoDB writes to a collection on the primary, MongoDB also writes to the primary's oplog, which is a special collection in the local database.
It is not possible.
You can combine multiple roles and inherit them from multiple databases, but:
When granted a role, a user receives all the privileges of that role. A user can have several roles concurrently, in which case the user receives the union of all the privileges of the respective roles.
-
Roles always grant privileges and never limit access. For example, if a user has both read and readWriteAnyDatabase roles on a database, the greater access prevails.
You can find these paragraphs in mongodb authorization doc.
In order to give read write on all future databases, you need to set readWriteAnyDatabase role to userb. That means, you can't downgrade to read role, for the A and B databases.
I am afraid you need to set the roles manually for the new dbs.
197
First of all enable authentication in your mongodb.conf file
auth = true
Create a database perm for holding user permissions that we are going to create below.
use perm
then create userb with read-only permissions for DatabaseA and DatabaseB
db.createUser(
{
user: "userb",
pwd: "12345",
roles: [
{ role: "read", db: "DatabaseA" },
{ role: "read", db: "DatabaseB" }
]
}
)
userb will only be allowed to read DatabaseA and DatabaseB rest all databases access to userb will be read-write
Now userb can login with below command
mongo --port 27017 -u userb -p 12345 --authenticationDatabase perm
You should use
security:
authorization: enabled
instead of auth = true, as for the rest Rohit answer did the job.
See also : https://stackoverflow.com/a/33325891/1814774
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
